Rogers Media uses cookies for personalization, to customize its online advertisements, and for other purposes. Learn more or change your cookie preferences. Rogers Media supports the Digital Advertising Alliance principles. By continuing to use our service, you agree to our use of cookies.

We use cookies (why?) You can change cookie preferences. Continued site use signifies consent.

A timeline of the Canada Revenue Agency's response to the Heartbleed bug

RCMP investigators canvass the neighbourhood around the house of Stephen Arthuro Solis-Reyes, 19, in London, Ont., in London, Ontario on Wednesday, April 16, 2014. Police have charged a 19-year-old man from London, Ont., in connection with the loss of taxpayer data from the Canada Revenue Agency website. THE CANADIAN PRESS/Dave Chidley

OTTAWA – A timeline of the Canada Revenue Agency’s response to the Heartbleed bug:

Monday, April 7: The Canada Revenue Agency says it was first informed of the Heartbleed bug.

Tuesday, April 8: Two senior CRA officials testify at a parliamentary committee, which begins at 11 a.m. Neither make any mention of Heartbleed.

Later that same day, the CRA shuts down public access to its online filing services. The agency says it has been working to implement a patch for the bug and test its systems.

Friday, April 11: At some point in the morning or early afternoon, the CRA notifies the RCMP and the privacy commissioner about a breach of taxpayer data that occurred over an unspecified six-hour period. The agency says at least 900 social insurance numbers were stolen.

The RCMP says it asked the CRA late that afternoon to hold off telling the public about the breach until Monday, April 14, so it could follow up leads in its investigation. The CRA complies.

Sunday, April 13: The CRA restores public access to all its online services.

Monday, April 14: The agency releases a statement indicating at least 900 social insurance numbers had been stolen by someone exploiting the Heartbleed bug.

Tuesday, April 15: The RCMP reveals it asked the CRA to hold off telling the public about the breach until Monday so it could follow up leads in its investigation.

Wednesday, April 16: The RCMP charges 19-year-old Stephen Arthuro Solis-Reyes with one count of unauthorized use of computer and one count of mischief in relation to data. He is scheduled to appear in an Ottawa court on July 17.

—

Sources:

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bughttp://www.cra-arc.gc.ca/gncy/sttmnt2-eng.html